Advanced Chaes Malware Variant Utilizes Chrome DevTools Protocol for Data Theft
Advanced Chaes Malware Variant Utilizes Chrome DevTools Protocol for Data Theft

Image: Jefferson Santos (unsplash)

The Chaes malware has made a resurgence with an enhanced variant. This new iteration incorporates a specialized version of the Google DevTools protocol, granting it direct access to browser functionalities of affected individuals. This new avenue permits it to unlawfully gather information via WebSockets.

This malware was initially detected in November 2020, taking aim at e-commerce customers across Latin America. By the end of 2021, it had dramatically expanded its operations, as evidenced by Avast’s discovery of its distribution through 800 infiltrated WordPress websites.

Once a system is infected, Chaes implants malevolent extensions into the Chrome browser of its host. This allows the malware to maintain its presence, capture screenshots, extract saved passwords and credit card details, siphon cookies, and snatch online banking credentials.

Morphisec spotted the recent Chaes variant in January 2023. This version showed a keen interest in platforms including Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, MetaMask, and several CMS platforms, notably WordPress and Joomla.

The current campaign’s infection methodology mirrors past strategies, entailing misleading MSI installers. These launch a complex, multi-phase infection process, which utilizes seven unique modules to execute a range of actions.

Chaes v4

The latest iteration of Chaes exhibits advancements in several areas, amplifying the stealth and efficiency of the malware.

In their analysis, Morphisec points out the key modifications in this Chaes version:

  • Comprehensive code revamp.
  • Added layers of encryption paired with enhanced covert techniques.
  • A shift to Python for decryption and in-situ execution.
  • Supplanting ‘Puppeteer’ with Chrome DevTools for tracking Chromium browser activities.
  • Widening the net of services targeted for credential theft.
  • Opting for WebSockets for inter-module malware communication and the C2 server, sidelining HTTP.
  • Rolling out DGA (domain generation algorithm) for dynamic C2 server address determination.

Though ‘Puppeteer’, a Node.js library, was previously used for overseeing Chrome’s headless mode operations, the remarkable change is Chaes’s employment of the Chrome DevTools Protocol. This facilitates illicit data extraction from browsers, encompassing real-time web page alterations, JavaScript executions, debugging, and managing memory, cookies, cache, among others.

Morphisec elucidates, “Rather than passively waiting for the user to access the targeted service, this module proactively engages with the service’s website, extracting the pertinent data – all facilitated by Google’s DevTools Protocol.”

The malware methodically undergoes this procedure for every URL pre-set in the stealer module for data exfiltration.

Another significant shift is in the ‘Chrautos’ module. This module, tasked with C2 interactions and data pilfering from WhatsApp Web using JavaScript injections, now embraces WebSockets for communication. WebSockets promote continuous communication, facilitating instantaneous data exchange, supporting both text and binary data transfers, and overall being more discreet than HTTP.

All interactions between the C2 and the malware are formatted in JSON, encoded in base64, and encrypted using AES, as detailed by Morphisec.

The distinct feature of Chaes, utilizing a tailored version of Google Chrome’s DevTools protocol, marks it as an audacious malware, emphasizing its invasive attributes.

Moreover, Morphisec has identified numerous indicators that the modules of this malware are under continual refinement. This suggests a potential enhancement and expansion of their functionalities in the near future.